Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
SOGo 5.12.7 contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel.
AnalysisAI
SQL injection in SOGo 5.12.7 (Alinto's open-source groupware/webmail platform) allows authenticated users to exfiltrate arbitrary database contents by injecting subqueries through the uid parameter of the addUserInAcls endpoint, then reading the staged data back via the /acls API. The flaw, reported by VulnCheck (with credit to dninh of SACOMBANK), is fixed in 5.12.8; no public exploit identified at time of analysis and the CVE is not on CISA KEV.
Technical ContextAI
SOGo is a groupware server providing webmail, calendaring, and address-book services, commonly fronted by Apache/nginx and backed by PostgreSQL or MySQL where the sogo_acl table stores Access Control List entries for shared folders. CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) here manifests because the addUserInAcls endpoint concatenates the user-supplied uid parameter into the ACL INSERT/UPDATE statement without parameterization, letting an attacker craft a subquery whose result is written into the acl row and then read back through the standard /acls retrieval API - a clean out-of-band channel. CPE cpe:2.3:a:alinto:sogo_webmail:*:*:*:*:*:*:*:* indicates all prior SOGo Webmail builds are in scope, and the vendor release notes confirm the issue affects any previous SOGo version.
RemediationAI
Vendor-released patch: SOGo 5.12.8 - upgrade immediately following the release notes at https://www.sogo.nu/news/2026/sogo-v5128-released.html (note the vendor warns of possible regressions, mainly in the mail view, after upgrade). If patching must be deferred briefly, restrict reachability of the SOGo web UI to trusted networks or VPN, block or reverse-proxy-filter requests to the /SOGo/so/*/Calendar/.../addUserInAcls and /acls endpoints for non-administrative users, audit the sogo_acl table for anomalous uid values containing SQL metacharacters or subquery syntax, and rotate any credentials or secrets stored in the same database since arbitrary contents may have been read; each of these controls breaks ACL sharing workflows for affected users and should be lifted once 5.12.8 is deployed.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30804
GHSA-7vv4-j48f-wcx7